Bug 174707 - audit is missing fs object identity info when removing some xattrs
audit is missing fs object identity info when removing some xattrs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Alexander Viro
Brian Brock
: Security
Depends On: 245197
Blocks: 175213 RHEL4U4Audit xattrs-tracker 245198
  Show dependency treegraph
 
Reported: 2005-12-01 11:28 EST by Amy Griffis
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version: RHBA-2007-0791
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 11:13:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Amy Griffis 2005-12-01 11:28:14 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
When removing the "trusted.md5sum" xattr, audit does not produce FS_WATCH records for a watched file.  Since audit does not produce PATH records for fremovexattr, this results in no filesystem object identity information for this syscall.

Version-Release number of selected component (if applicable):
kernel-2.6.9-22.0.1.EL.audit.1 (rhel4 u2 kernel + 173500  fix)

How reproducible:
Always

Steps to Reproduce:
1. enable syscall auditing
2. auditctl -a entry,always -S fremovexattr
3. auditctl -w /tmp/foo -k TMP_FOO
4. fd = open("/tmp/foo", O_RDWR, 0);
5. fsetxattr(fd, "trusted.md5sum", "0", sizeof("0"), XATTR_CREATE)
6. fremovexattr(fd, "trusted.md5sum");

Actual Results:  Audit log from x86_64 architecture:

type=SYSCALL msg=audit(1133453735.714:3811): arch=c000003e syscall=2 success=yes exit=3 a0=7fbffffc86 a1=2 a2=0 a3=7fbffff901 items=1 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133453735.714:3811): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=6
type=FS_INODE msg=audit(1133453735.714:3811): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=CWD msg=audit(1133453735.714:3811):  cwd="/home/eal"
type=PATH msg=audit(1133453735.714:3811): name="/tmp/foo" flags=101  inode=213048 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00

type=SYSCALL msg=audit(1133453735.714:3812): arch=c000003e syscall=190 success=yes exit=0 a0=3 a1=4008f2 a2=4008f0 a3=2 items=0 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133453735.714:3812): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=2
type=FS_INODE msg=audit(1133453735.714:3812): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00

type=SYSCALL msg=audit(1133453735.714:3813): arch=c000003e syscall=199 success=yes exit=0 a0=3 a1=4008f2 a2=4008f0 a3=7fbffff901 items=0 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"

Expected Results:  The same operation using the xattr "user.mime_type" with value "text/plain" produces the following records for fremovexattr:

type=SYSCALL msg=audit(1133454070.709:3823): arch=c000003e syscall=199 success=yes exit=0 a0=3 a1=4008fb a2=4008f0 a3=7fbffff901 items=0 pid=7018 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133454070.709:3823): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=2
type=FS_INODE msg=audit(1133454070.709:3823): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00

Additional info:
Comment 1 Andrius Benokraitis 2005-12-07 11:46:02 EST
Hi Amy, did you have a patch proposed for this, or is this just a notification
of the bug? How severe is this as well? Thanks!
Comment 2 Linda Knippers 2005-12-07 13:46:35 EST
Hi Andrius, 
We don't have a proposed patch, its just a bug notification.
While it is a problem that ought to be fixed at some point, it
isn't critical for our purposes right now.
Comment 4 Daniel Riek 2006-11-21 14:56:16 EST
Not planned for 4.5. Moving to 4.6
Comment 5 RHEL Product and Program Management 2007-05-09 07:04:01 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 RHEL Product and Program Management 2007-06-11 18:41:51 EDT
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.
Comment 8 Jason Baron 2007-06-19 10:06:06 EDT
committed in stream U6 build 55.9. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 13 errata-xmlrpc 2007-11-15 11:13:12 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0791.html

Note You need to log in before you can comment on or make changes to this bug.